Currently viewing ATT&CK v10.1 which was live between October 21, 2021 and April 24, 2022. Learn more about the versioning system or see the live site.
  1. Home
  2. Software
  3. LookBack

LookBack

LookBack is a remote access trojan written in C++ that was used against at least three US utility companies in July 2019. The TALONITE activity group has been observed using LookBack.[1][2][3]

ID: S0582
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 01 March 2021
Last Modified: 26 April 2021
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

LookBack’s C2 proxy tool sends data to a C2 server over HTTP.[1]
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

LookBack sets up a Registry Run key to establish a persistence mechanism.[1]
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

LookBack executes the cmd.exe command.[1]
.005 Command and Scripting Interpreter: Visual Basic

LookBack has used VBA macros in Microsoft Word attachments to drop additional files to the host.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

LookBack has a function that decrypts malicious data.[1]
Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

LookBack uses a modified version of RC4 for data transfer.[1]
Enterprise T1083 File and Directory Discovery

LookBack can retrieve file listings from the victim machine.[1]
Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

LookBack side loads its communications module as a DLL into the libcurl.dll loader.[1]
Enterprise T1070 .004 Indicator Removal on Host: File Deletion

LookBack removes itself after execution and can delete files on the system.[1]
Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

LookBack has a C2 proxy tool that masquerades as GUP.exe, which is software used by Notepad++.[1]
Enterprise T1095 Non-Application Layer Protocol

LookBack uses a custom binary protocol over sockets for C2 communications.[1]
Enterprise T1057 Process Discovery

LookBack can list running processes.[1]
Enterprise T1113 Screen Capture

LookBack can take desktop screenshots.[1]
Enterprise T1489 Service Stop

LookBack can kill processes and delete services.[1]
Enterprise T1007 System Service Discovery

LookBack can enumerate services on the victim machine.[1]
Enterprise T1529 System Shutdown/Reboot

LookBack can shutdown and reboot the victim machine.[1]

References

  1. Raggi, M. Schwarz, D.. (2019, August 1). LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards. Retrieved February 25, 2021.
  2. Dragos. (null). TALONITE. Retrieved February 25, 2021.
  1. Dragos. (n.d.). ICS Cybersecurity Year in Review 2020. Retrieved February 25, 2021.